As always, if someone has physical access and unlimited time, no device or computer is safe.
Also, Mailbox.app only supports GMail. Security minded people are obviously not the target market.
(edited to make my point more clear :)
When the device is locked the file is encrypted and cannot be easily retrieved with a USB cable and a file explorer. An app that does not properly secure its files is readable even when the device is locked.
Whether users pick appropriate passwords is another matter entirely.
>if someone has physical access and unlimited time
There is no such thing as unlimited resources.
If I had unlimited time I could crack every encrypted message on the planet.
Using DPAPI turns a 30 second hack into an online cracking job. The crypto processor in the iPhone can only check one password every ~80ms and you need the chip with you. An attacker cannot do an offline attack.
All this stuff can be kludged onto email, but the attitude should be "unless I've taken measures to add security this thing is not secure".
A basic bit of security, especially one that doesn't put any more load on the user (to have to maintain or set up) is a pretty big no-brainer. Raising the bar for a successful hack is also worth doing when the cost is a single line of code and no effort on the user's part.
What's on offer here? 10 minutes extra tamper resistance? For a protocol which is inherently insecure?
Sure, if you're the CEO of some big company and a skilled attacker really wants at your email, this is only a stopgap - but this is also sufficient to stop less proficient attackers entirely. For most people this is all they need.
> "it's more like telling bicycle riders to use anti-puncture tape."
If anti-puncture tape has literally no downsides whatsoever to the bicycle rider's experience, and costs nothing, then yes. Why wouldn't you have it?
I wasn’t suggesting it shouldn’t be. My point is that the article’s headline is overly dramatic: Mailbox.app is not a complete security failure because of one hack that requires physical access. Given that Mailbox only supports GMail, I’d be more worried to put my email in Google’s hands than worrying over someone grabbing my phone out of mine.
“Mailbox is BIG. We are not talking of an average app here!”
Mailbox.app is a free app that has been downloaded a couple of million times, I wouldn’t call it “BIG” yet. It’s very new, it’s still on version 1, so it’s not expected to be perfect.
The problem is that we take mobile devices with us every place we go. So physical access is not difficult to obtain.
This really is a big deal primarily because the developers of Mailbox.app did not take steps to even obfuscate the stored data...which would deter all but the most determined of attackers.
Given physical access and "unlimited" time (i.e. no more than a million human lifetimes, say), then certainly an attacker can gain access to the device and make it do what he wants.
However, if the data on the device is securely encrypted, then physical access and (reasonable) time doesn't matter. He won't be able to get at the data.
In other words, this is the expected behaviour when your phone is unlocked.
This article just helps compound the idea that that trust might be a little misplaced....
I'm back to Sparrow now (which doesn't do push) and quite happy: Mail.app tells me I have a new message, then I process my emails in Sparrow.
If you jailbreak the phone you can access all non protected data.
iOS Mail app uses DAPI correctly. For push mail when the phone is locked it will use a public key to encrypt the data.
I am unsure if even the Gmail app uses it correctly, I only tested the stock mail app.
If you have the an escrow key pair (ie. synced to iTunes) your are screwed. If should do a DFU mode restore to wipe the keybag completely.
Then, even if the device is later locked, they can bulk copy unencrypted files using tools like iExplorer, and browse at their leisure.
It's funny how some business class apps store usernames and passwords in clear text in their app sandboxes.
If you can unlock the phone, you've almost certainly already lost here.
Because as far as I am aware, few mail clients either support or (if they do) actively encourage an extra password layer, and your users do not want it. Given an average un-password-protected phone, you will be able to read their email even if they were using the iOS encrypted files framework, just by opening the app.
I apologize, but it appears that your headline is deliberate sensationalism. If you want to have a discussion about how we need to secure email apps in general, I'm interested. If you want to just pick the latest 'big thing' and take pot shots at it, nah.
Of course, I am not highly versed in security, so if there's another option I'm interested to hear it.
I think most devices paired with an ActiveSync (Exchange, GMail) account are required to use lock codes.
The argument that 'once you've lost the phone you've lost the data anyway' isn't really fair. If a passcode is being used, data marked as being a security concern is protected with the passcode. A 4 digit code is trivial to brute force, yes, but the point is that it should be done anyway.
Using iExplorer to find files is a lot easier than loading a custom bootloader on to the phone, booting custom firmware, brute forcing the passcode and decrypting the files. If anything, the extra time will raise the chance that you can get to a computer and initiate a remote-wipe.
I have not tested with a new 6.1.3 device yet, but if true, this would be a very serious security regression.
How about that, huh ?
You might need to use an actual strong password though and not the 4 digit passcode.